05-24-2016 01:42 AM - edited 02-21-2020 05:49 AM
Is it possible disable diffie-hellman-group1-sha1 in a Cisco 2811 Os v.12.4(24)T2 router?
I put this command:
> ip ssh dh min size 2048
for 2048 bits, but in security scanning says that it permits:
| kex_algorithms: (3)
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1
So no pass security certification. For Cisco ASA there is a command like this:
> no ssh ssh key-exchange {dh-group1 ........
But I need for a Cisco 2811 router, and doesn't exist that command. Also I've tried:
> no ip ssh dh min size 1024
but I don't achieve the desired result.
Thanks,
Oscar
Gracias
Oscar
05-24-2016 12:16 PM
I don't believe you can prevent it from showing that up.
However the "ip ssh dh min size 2048" should prevent the use of diffie-hellman-group-exchange-sha1. If you can verify this then you have complied, just the scan is giving a false positive.
05-25-2016 01:32 AM
Hi Philip,
the problem is when I try a debug with a ssh client forcing the use of DH Group-1:
$> ssh -vvv -o "KexAlgorithms diffie-hellman-group1-sha1" user@router2811_ip:
..............................
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 (forcing algorithm from client)
...............................
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 (algorithms permits from server)
................................
debug2: dh_gen_key: priv key bits set: 121/256
debug2: bits set: 504/1024 (when you don't force from client it says .../2048)
.........................................
I understand that router is not forcing to a minimal 2048 bits, it looks like a default option. So, it's possible the use of DH-group1 (with force parameters by client), and it's possible that it doesn't pass security pci certification.
Thanks,
Oscar
05-25-2016 12:02 PM
I just tested this on a Cisco 2911 running 15.4(3)M4.
First I tried connecting using your command and it worked fine. Then I put the "ip ssh dh min size 2048" command in the config, and using the same "ssh" command you gave I tried connecting and it refused.
Note that it still appears to offer diffie-hellman-group1-sha1, but refuses to connect with it.
I note that 15.4(3)M4 is not available for the 2811, due to its age. So I recommend going to the "gold star" release of 15.1.4M10. I am about 90% confident that will resolve your issue.
If it doesn't resolve your issue, and this is really important to you, then you have no choice but to replace the 2811. You could either use a 2911 running 15.4(3)M4, since you know it definitely works, but you should really be looking at a 4000 series router, since both the 2811 and 2911 have been superseded by them.
debug2: local client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: (no match)
Unable to negotiate with 192.168.72.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
10-10-2022 06:46 AM - edited 10-10-2022 06:54 AM
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide